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Access Control List Processing in Hardware 

Background of the Invention 

/. Field of the Invention 

This invention relates to access control list processing. 
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1 2. Related Art 

2 

3 In a computer network for transmitting information, messages can be re- 

4 stricted from being transmitted from selected source devices to selected destination de- 

5 vices. In known computer networks, this form of restriction is known as "access control" 

6 and is performed by routers, which route messages (in the form of individual packets of 

7 information) from source devices to destination devices. One known technique for access 

8 control is for each router to perform access control by reference to one or more ACLs 



p 9 " (access control lists); the ACL describes which selected source devices are permitted (and 

5 

W 10 which denied) to send packets to which selected destination devices. 



In a known standard for ACL format, each ACL includes a plurality of ac- 



W13 cess control specifiers, each of which selects a range of sender and destination IP address 

pa 

K 14 prefix or subnet, and port, and provides that packet transmission from that selected set of 

fj = .... 

s "is senders to that selected set. of destinations is either specifically permitted or specifically 

16 denied. ACLs are associated with input interfaces and independently with output inter- 

17 faces for each router. In known routers such as those manufactured by Cisco Systems, 

18 Inc., of San Jose, California, the router is provided with an ACL using an ACL command 

19 language, interpreted by operating system software for the router, such as the IOS oper- 

20 ating system. 

21 
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One problem in the known art is that processing of packets to enforce ac- 
cess control according to the ACL is processor-intensive and can therefore be relatively 
slow, particularly in comparison with desired rates of speed for routing packets. This 
problem is exacerbated when access control is enforced for packets using software in the 
router, because software processing of the ACL can be quite slow relative to hardware 
processing of the packet for routing. 

One known solution is to reduce the number of packets for which access 
control requires actual access to the ACL. In a technique known as "netflow switching," 
packets are identified as belonging to selected "flows," and each packet in a flow is ex- 
pected to have identical routing and access control characteristics. Therefore, access 
control only requires reference to the ACL for the first packet in a flow; subsequent pack- 
ets in the same flow can have access control enforced identically to the first packet, by 
reference to a.routing result cached by the router and used for the entire flow. 

Netflow switching is further described in detail in the following patent ap- 
plications: 

o U.S. Application Serial No. 08/581,134, titled "Method For Traffic Management, 
Traffic Prioritization, Access Control, and Packet Forwarding in a Datagram Com- 
puter Network", filed December 29, 1995, in the name of inventors David R. 
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1 Cheriton and Andreas V. Bechtolsheim, assigned to Cisco Technology, Inc., attor- 

2 ney docket number CIS-0 19; 

3 

4 o U.S. Application Serial No. 08/655,429, titled "Network Flow Switching and Flow 

5 Data Export", filed May 28, 1996, in the name of inventors Darren Kerr and Barry 

6 Bruins, and assigned to Cisco Technology, Inc., attorney docket number CIS-0 16; 

7 and 

8 

p 9 " o U.S. Application Serial No. 08/77 1, '43 8, titled "Network Flow Switching and Flow 

S;iio Data Export", filed December 20, 1996, in the name of inventors Darren Kerr and 

M 

k;jn Barry Bruins, assigned to Cisco Technology, Inc., attorney docket number CIS- 

% 017. 

m 

W13 

o 

HJ14 -These patent applications are collectively referred to herein as the "Netflow 

C!l 

? ,? 15 Switching Disclosures". Each of these applications is hereby incorporated by reference as 

16 if fully set forth herein. 

17 

18 While netflow switching achieves the goal of improving the speed of en- 

19 forcing access control by the router, it still has the drawback that comparing at least some 

20 incoming packets against the ACL must be performed using software. Thus, the relative 

21 slowness required by software processing of the ACL is not completely avoided. 

22 
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i Summary of the Invention 

2 

3 The invention provides a method and system for hardware processing of 

4 ACLs and thus hardware enforcement of access control. A sequence of access control 

5 specifiers from an ACL are recorded in a CAM, and information from the packet header 

6 is used to attempt to match selected source and destination IP addresses or subnets, ports, 

7 and protocols, against all the ACL specifiers at once. Successful matches are input to a 

8 priority selector, which selects the match with the highest priority (that is, the match that 
is first in the sequence of access control specifiers). The specified result of the selected 

55 10 match is used to permit or deny ac'cess for the packet without need for software prOCeSS- 



Mi 

a 9 



W 1 1 ing, preferably at a rate comparable to wirespeed. 



111 



yji3 In a preferred embodiment, the CAM includes an ordered sequence of en- 

2 

h*i4 tries, each- of -which has an array of ternary elements for matching on logical "0", logical 

O - 

^'15 "1", or on any value, and each of which generates a match signal. The ACL entered for 

16 recording in the CAM can be optimized to reduce the number of separate entries in the 

17 CAM, such as by combining entries which are each special cases of a more general access 

18 control specifier. 

19 

20 A router including the CAM can also include preprocessing circuits for 

21 certain range comparisons which have been found both to be particularly common and to 

22 be otherwise inefficiently represented by the ternary nature of the CAM. For example, 
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comparisons of the port number against known special cases, such as "greater than 1023" 
and "within the range 6000 to 6500", can be treated by circuitry for performing range 



3 comparisons or by reference to one or more auxiliary CAMs. 



The invention can also be used to augment or override routing decisions 
otherwise made by the router, so as to implement QOS (quality of.service), and other ad- 



7 ministrative policies, using the CAM. 

8 

Kg ' Brief Description of the Drawings 

1st? 

mo 

s,\ 

Figure 1 shows a block diagram of a system for access control list process- 

ru .... 

, 12 ing. 

□ 

p 

Mu - Figure 2 shows a block diagram of an access control element. 

"15 

16 Figure 3 shows a flow diagram of a method for access control list process- 

17 ing in hardware. 

18 

19 Detailed Description of the Prefer red Embodiment 



In the following description, a preferred embodiment of the invention is de- 
scribed with regard to preferred process steps and data structures. Those skilled in the art 
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would recognize after perusal of this application that embodiments of the invention can 
be implemented using circuits adapted to particular process steps and data structures de- 
scribed herein, and that implementation of the process steps and data structures described 
4 herein would not require undue experimentation or further invention. 

5 

6 System Elements 



1 

2 
3 



7 
8 

&~ 9 ing 



8 

r'i 



Figure 1 shows a block diagram of a system for access control list process- 



P 

A system 100 includes a set of packet input interfaces 101, a routing ele- 



ment 1 10, an access control element 120, and a set of packet output interfaces 102. The 

yi3 system 100 receives packets 130 at the input interfaces 101; each packet 130 indicates a 

Mm source device.131, from which it was sent, and a destination device 132, to which it is 

Wis intended to go. The routing element 1 10 processes each packet 130 to select one or more 

16 of the output interfaces 102 to which the packet 130 should be forwarded. The access 

17 control element 120 determines if the packet 130 has permission to be forwarded from its 

18 source device 131 to its destination device 132. Each packet 130 that has permission to 

19 be forwarded is output to its selected output interfaces 102. 
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In a first set of alternative embodiments, the system 100 may include a plu- 

2 rality of access control elements 120 operating in parallel in place of the single access 

3 control element 120. 



5 In a second set of alternative embodiments, the system 100 may include one 

6 or more access control elements 120 coupled to the input interfaces 101 and operating to 

7 determine if packets 130 have permission to be forwarded from their source devices 131 

8 at all. The access control element 120 is shown coupled to the routing element 110 to 

perform access control after a routing decision has been made. However, the access con- 

P 

Bio' trol element 120 is still capable of denying access to packets 130 responsive to whether 



£'! 9 



k%\ 1 they have permission to be forwarded from their source devices 1 3 1 at all. 

4= 

w 

1^3 In a third set of alternative embodiments, the system 100 may include one 

P 

t il i4 or more access control elements 120 coupled to individual input interfaces 101 and oper- 

^15 ating to make access control determinations for packets 130 arriving at particular input 

16 interfaces 101. Similarly, the system 100 may include one or more access control ele- 

17 ments 120 coupled to individual output interfaces 102 and operating to make access con- 

18 trol determinations for packets 130 forwarded to particular output interfaces 102. 

19 

20 Access Control Element 

21 

22 Figure 2 shows a block diagram of an access control element. 
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In a preferred embodiment, the access control element 120 operates on a set 
of selected elements of a packet header 133 for each packet 130. The system 100 collects 
the selected elements into a packet label 200. 

In a preferred embodiment using netflow switching, the packet label 200 

a 

used for access control at the input interfaces 101 includes a source device 131, the desti- 
nation device 132, a port identifier for a port at the source device 13 1, a port identifier for 
a port at the destination device 132, and a protocol type. In alternative. embodiments, the 
packet label 200 may be any collection of information derived from the packet 130. (pref- 
erably from the packet header 133) used for access control. 

The concept of preprocessing the packet label has wide applicability, in- 
cluding determining other routing information in response to data in the packet header. 
For example, in addition to or instead of comparing data in the packet header against 
known special cases, such as "greater than 1023" and "within the range 6000 to 6500," 
preprocessing can include performing logical or arithmetic operations on data in the 
packet header. Preprocessing can also include data lookup, or substituting new data, in 
response to data in the packet header. 
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1 The access control element 120 includes an input port 201 coupled to the 

2 packet label 200, an access control memory 210, a priority encoder 220, and an output 

3 port 202 coupled to the priority encoder 220. 

4 

5 When the access control element 120 is disposed for controlling access for 

6 packets responsive to their input interfaces 101, the packet label 200 includes an identifier 

7 for the input interface 101. When the access control element 120 is disposed for control- 
.8 ling access for packets responsive to their output interfaces 102, the packet label 200 in- 

^ 9 * eludes an identifier for the output interface 102. 

6 

e:iio 

y,fn The access control memory 210 includes a CAM (content-addressable 

f 

P,I 12 memory) having a sequence of access control specifiers 211. Each access control speci- 
fy 

jjfi3 fier 21 1 includes a label match mask 212 and a label match pattern 213. For each access 

VHa control specifier 211, each bit of the label match mask 212 determines whether or not a 

bi 

^15 corresponding bit of the packet label 200 is tested. If so, the corresponding bit of the la- 

16 bel match pattern 213 is compared for equality with the corresponding bit of the packet 

17 label 200. If all compared bits are equal, the access control specifier 211 matches the 

18 packet label 200. Bits that are not compared have no effect on whether the access control 

19 specifier 21 1 is considered to match the packet label 200 or not. 

20 

21 The priority encoder 220 is coupled to all of the access control specifiers 

22 211, and receives an indicator from each one whether or not that access control specifier 
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211 matched the packet label 200. The priority encoder 220 selects the single access 
2 control specifier 211 with the highest priority (in a preferred embodiment, the one with 
the lowest address in the access control memory 210) and provides an indicator of that 
single access control specifier 2 1 1 to the output port 202. 



6 The indicator provided to the output port 202 specifies whether or not the 

7 packet 130 has permission to be forwarded from its specified source device 131 to its 

8 specified destination device 132. In a preferred embodiment, the indicator specifies one 
p 9 ' of three possibilities: (a) the packet 130 is forwarded to its calculated output interface and 

09 10 on to its specified destination device 132; (b) the packet 130 is dropped; or (c) the packet 

s I 



y 11 130 is forwarded to a "higher-level" processor for further treatment. When a packet 130 

4> z _ 

^ 12 is dropped it is effectively denied access from its specified source device 13 1 to its speci- 

P 

W 13 fied destination device 132. 

O • 

t;S4 - 

0 

^ 15 The higher-level processor includes a general-purpose processor, program 

16 and data memory, and mass storage, executing operating system and application software 

17 for software (rather than hardware) examination of the packet 130. The packet 130 is 
18' ' compared, possibly to- the access control specifiers 211 and possibly to other administra- 

19 tive policies or restrictions, by the higher-level processor. The higher-level processor 

20 specifies whether the packet 130, after processing by the higher-level processor, is for- 

21 warded to a selected output interface or is dropped. 

22 
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1 Access Control Lists 
2 

3 A Cisco access control list includes a sequence of access control entries, 

4 which are mapped to a set of access control specifiers 211. Each access control entry has 

5 a structure according to the following syntax: 

6 * " 

7 access-list access-list-number [dynamic dynamic-name [timeout minutes]] 

8 {deny|permit} protocol source source-wildcard [operator port [port]] destination 

J£ 9 * destination-wildcard [operator port [port]] [established] [precedence prece- 

p 

S;no dence] [tos tos] [log] . 
Uii 



it- 



Ptl 12 This syntax, its meaning, and access Control entries in general, are further 

3 

f 1 

ill 13 described in documentation for Cisco IOS software, available from Cisco Systems, Inc., 



V;? 



M 14 in San Jose, California, and hereby incorporated by reference as if fully set forth herein. 

h 



16 Access control entries can specify that particular actions are permitted, de- 

17 nied, or that they will be recorded in a log. Access control entries are interpreted sequen- 

18 tially. Thus, an earlier more specific access control entry can prohibit particular actions 

19 (such as receiving messages from a particular sending device), while a later more general 

20 access control entry can permit the same actions for other devices (such as other sending 

21 devices in the same network). 



22 
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When an access control list is translated for entry into the access control 

2 memory, it is optimized to reduce the number of separate entries that are used. Thus, an 

3 access control list with N separate access control entries is translated into a set of access 

4 control specifiers 211 that can be smaller or larger than N, depending on the effect of op- 

5 timization. 

6 

7 A first optimization detects separate access control entries that each refer to 

8 a special case of a more general access control specifier 211, such as in one of the fol- 
^ 9 lowing cases: 

1st? 

^10 

yjn o A first access control entry provides a selected permission for a selected source 

s|t= 

PJ12 device 131 2S, and a second access control entry provides the same permission for 



pi3 a selected source device 131 2S+1. The first and second access control entries can 

f|li4 be translated into a single more general access control specifier 211 with an un- 



PJ15 matched bit in the 2°. position. 

17 o A set of access control entries each provides the same selected permission for a 

18 range of selected source devices 131 S through T, and the range S through T can 

19 be represented as a smaller number of bit strings with unmatched bits. 

20 

21 o A set of access control entries provides a selected permission for a comparison of 

22 source device 13 1 addresses with a test value V. 
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1 

2 A second optimization detects range comparisons that have been found to 

3 be particularly common. For example, it is common to compare the source or destination 

4 port number for being greater than 1023, or for being within the range 6000 to 6500. To 

5 compare the source or destination port number for being greater than 1023 with matched 

6 and unmatched bits would use about six entries for each such comparison (to test each 

7 one of the six high-order bits of the port number for being logical " 1 ")• 

8 

M 9 In a preferred embodiment, a comparison circuit 230 compares the source 

|Jio port number and the destination port number with these known ranges and provides a set 

yJn of comparison bits 23 1 indicating whether or not the source port number and the destina- 

^.ii2 tion port number are within each specified range. The comparison circuit 230 includes a 

Ri3 finite state machine 232 (or other element) for storing lower and upper bounds for each 

f?!i4 specified range. The comparison bits 23 1 are coupled to the input port 20 1 of the access 

b 

fUi5 control element 120 for treatment as matchable input bits supplemental to the header of 

16 the packet 130. 

17 

18 In various embodiments, the invention can be used to augment or override 

19 routing decisions otherwise made by the router, using the access control element 120. In 

20 addition to specifying that the packet 130 is to be dropped or forwarded to the higher- 

21 level processor, the access control element 120 can alter the output interface, which was 

22 selected by the routing element 1 10, to another selected output interface. The invention 
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1 can thus be used to implement QOS (quality of service) policies and other administrative 

2 policies. 
3 

4 Method of Operation 
5 

6 Figure 3 shows a flow diagram of a method for access control list process- 

7 ing in hardware. 

8 

M 9 * A method 300 includes a set of flow points to be noted, and steps to be exe- 

y 10 cuted, cooperatively by the elements of the system 100. 

Oil 

M 

U 11 

Jl- 

pj 12 At a flow point 310, a packet is received at one of the packet input inter- 

a 

H13 faces 101. 

- : : 
Vsf 

p 

p; 14 • 

p • . - 

p i 15 At a step 321, the routing element 1 10 receives an input packet 130. 

16 

17 At a step 322, the routing element 1 10 identifies the header for the packet 

18 130. 

19 

20 At a step 323, the routing element 110 selects portions of the header for use 

21 as the packet label 200 for access control. In a preferred embodiment, the packet label 

22 200 used for access control at the input interfaces 101 includes the source device 13 1, the 
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destination device 132, the port identifier at the source device 131, the port identifier at 



2 the destination device 1 32, and a protocol type. 

3 

4 At a step 324, the routing element 1 10 couples the packet label 200 and an 

5 input interface specifier to the input access control element 120. 

6 

7 At a step 325, the routing element 110 determines a selected output inter- 

8 face for the packet 1 30. 

9 ' 

P 

O 10 At a step 326, preferably performed in parallel with the step 325, the input 

yj 11 access control element 120 determines the input permission for the packet 130, that is, 

i 

ft) 12 whether the routing element 1 10 permits forwarding the packet 130 from the source de- 



p'J 13 vice 131 for the packet 130. 



pi 15 > • The- step 326 includes matching the packet label 200 against the access 

16 control memory 210 for the input access control element 120, determining all of the suc- 

17 cessful matches, coupling the successful matches to the priority encoder 220 for the input 
•18 -• access-control element 120, determining the highest-priority match, and providing an out- 

19 put result from the input access control element 120. 

20 

21 If at the step .326, the input access control element 120 determines that the 

22 higher-level processor should process the packet 130, the higher-level processor proc- 
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esses the packet 130. A result from the higher-level processor is substituted for the result 
2 from the input access control element 120. 

3 

If at the step 326, the input access control element 120 (or the higher-level 

5 processor) determines that the packet 130 should be dropped, the packet 130 is dropped, 

6 and the routing element 1 1 0 takes no further action with regard to the packet 1 30. 



4 



n 
~;:io 



At a step 327, the routing element 1.10 couples the packet label 200 and the 



M 9 ' output interface specifier to the output access control element 120. 

a 



h '{ 11 At a ste p 328, the output access control element 120 determines the output 

PJi2 permission for the packet 130, that is, whether the routing element 1 10 permits forward- 
f : !i3 ing the packet 130 to the destination device 132 for the packet 130. 

m 

P 

nj 15 The step 326 includes the following actions: 

16 

17 o matching the packet label 200 against the access control memory 210 for the out- 

18 put access control element 120; 

20 o determining all of the successful matches; 

21 
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coupling the successful matches to the priority encoder 220 for the output access 
control element 120; 

determining the highest-priority match; and 



o providing an output result from the output access control element 120. 

If at the step 328, the output access control element 120 determines that the 
higher-level processor should process the packet 130, the higher-level processor proc- 
esses the packet 130. A result from the higher-level processor is substituted for the result 
from the output access control element 120. 

If at the step 328, the output access control element 120 (or the higher-level 
processor) determines that the packet 130 should be dropped, the packet 130 is dropped, 
and the routing element 1 10 takes no further action with regard to the packet 130. 

At a flow point 330, the packet is ready for transmission to one of the 
packet output interfaces 102. 
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Alternative Embodiments 



Although preferred embodiments are disclosed herein, many variations are 
possible which remain within the concept, scope, and spirit of the invention, and these 
variations would become clear to those skilled in the art after perusal of this application. 
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